Commit 1a23f5e6 authored by Vijay Hawoldar's avatar Vijay Hawoldar

Check authorization to view billableMembersCount

In our GrahpQL GroupType we should only return the billable member type
for users who are authorized to view it (group owners)

Changelog: fixed
EE: true
parent fecbce92
......@@ -85,6 +85,7 @@ module EE
field :billable_members_count, ::GraphQL::Types::Int,
null: true,
authorize: :owner_access,
description: 'Number of billable users in the group.' do
argument :requested_hosted_plan, String, required: false, description: 'Plan from which to get billable members.'
end
......
......@@ -69,20 +69,15 @@ RSpec.describe GitlabSchema.types['Group'] do
describe 'billable members count' do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) }
let_it_be(:user1) { create(:user) }
let_it_be(:user2) { create(:user) }
let_it_be(:user3) { create(:user) }
let_it_be(:user4) { create(:user) }
before do
group.add_developer(user1)
group.add_guest(user2)
project.add_developer(user3)
project.add_guest(user4)
end
it "returns billable users count including guests when no plan is provided" do
query = <<~GQL
let_it_be(:group_owner) { create(:user) }
let_it_be(:group_developer) { create(:user) }
let_it_be(:group_guest) { create(:user) }
let_it_be(:project_developer) { create(:user) }
let_it_be(:project_guest) { create(:user) }
let(:current_user) { group_owner }
let(:query) do
<<~GQL
query {
group(fullPath: "#{group.full_path}") {
id,
......@@ -90,46 +85,63 @@ RSpec.describe GitlabSchema.types['Group'] do
}
}
GQL
end
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
before do
group.add_owner(group_owner)
group.add_developer(group_developer)
group.add_guest(group_guest)
project.add_developer(project_developer)
project.add_guest(project_guest)
end
billable_members_count = result.dig('data', 'group', 'billableMembersCount')
subject(:billable_members_count) do
result = GitlabSchema.execute(query, context: { current_user: current_user }).as_json
expect(billable_members_count).to eq(4)
result.dig('data', 'group', 'billableMembersCount')
end
it "returns billable users count including guests when a plan that should include guests is provided" do
query = <<~GQL
query {
group(fullPath: "#{group.full_path}") {
id,
billableMembersCount(requestedHostedPlan: "#{::Plan::SILVER}")
}
}
GQL
context 'when no plan is provided' do
it 'returns billable users count including guests' do
expect(billable_members_count).to eq(5)
end
end
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
context 'when a plan is provided' do
let(:query) do
<<~GQL
query {
group(fullPath: "#{group.full_path}") {
id,
billableMembersCount(requestedHostedPlan: "#{plan}")
}
}
GQL
end
billable_members_count = result.dig('data', 'group', 'billableMembersCount')
context 'with a plan that should include guests is provided' do
let(:plan) { ::Plan::SILVER }
expect(billable_members_count).to eq(4)
end
it 'returns billable users count including guests' do
expect(billable_members_count).to eq(5)
end
end
it "returns billable users count excluding guests when a plan that should exclude guests is provided" do
query = <<~GQL
query {
group(fullPath: "#{group.full_path}") {
id,
billableMembersCount(requestedHostedPlan: "#{::Plan::ULTIMATE}")
}
}
GQL
context 'with a plan that should exclude guests is provided' do
let(:plan) { ::Plan::ULTIMATE }
result = GitlabSchema.execute(query, context: { current_user: user1 }).as_json
it 'returns billable users count excluding guests when a plan that should exclude guests is provided' do
expect(billable_members_count).to eq(3)
end
end
end
billable_members_count = result.dig('data', 'group', 'billableMembersCount')
context 'without owner authorization' do
let(:current_user) { group_developer }
expect(billable_members_count).to eq(2)
it 'does not return the billable members count' do
expect(billable_members_count).to be_nil
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment